# letsencrypt pulp_installer planning https://pulp.plan.io/issues/6846 ## Solution: Use 3rd-party role * Tell users to use any 3rd-party acme role * adapt pulp_installer to facilitate using them * Document some examples * CI will test HTTP-01 (and DNS-01) with a role, pulp_installer & [pebble ACME CA](https://github.com/letsencrypt/pebble). All running entirely within CI env. ### Likely documented/suggested roles: * https://galaxy.ansible.com/nephelaiio/acme_certificate_cloudflare (cloudflare DNS-01) * https://galaxy.ansible.com/nephelaiio/acme_certificate_route53 (AWS DNS-01) * https://galaxy.ansible.com/thulium_drake/acme_ssl (generic HTTP-01 or DNS-01) * https://galaxy.ansible.com/systemli/letsencrypt (generic HTTP-01 or DNS-01 for letsencrypt) ### pulp_installer adaptations ACME roles expect a directory where files can be placed. The installer should always create an 'acme' directory and configure the webserver to serve it. The path to this directory needs to be included in documentation for the user so the user can use the directory path as input for the ACME role that is being used to configure certificates. --- original suggestion --- To host a static file (not actual name): /var/lib/pulp/assets/acme.txt sudo systemctl restart pulpcore-api # whitenoise http --verify no https://localhost/assets/acme.txt ^ We would need to include a service restart in the middle of the 3rd-party roles though. Unless we have something running to monitor for it? ### ansible pseudocode ``` roles: - pulp_all_services #(includes running pulp_webserver a 1st time) - role: acme_ssl vars: web_dir: /var/lib/pulp/acme/ acme_ssl_validity_min: 30 # How many days a cert can have left before it's renewed - role: pulp_webserver vars: pulp_webserver_ssl_cert: /path/to/role/created/cert pulp_webserver_ssl_key: /path/to/role/created/key ``` ### CI test Use https://galaxy.ansible.com/thulium_drake/acme_ssl Pebble setup early on in CI. Test HTTP-01 Test DNS-01 via a DNS server capable of creating TXT record